>>> Here's some: how about instead of an ssh-like system, use ssh itself. >>> Front >>> PyPI with an ssh server that users connect to. That way it is both secure >>> and >>> the infrastructure (agent, etc.) is already in place. >> Yes please. I'd rather have one agent running and reuse my SSH key for >> authentication. > > That would be awesome indeed. But that would involve quite some > changes on server side, > I'll forward this mail to catalog-sig for Richard, Martin and others's > feedback
I'm fairly skeptical. First, the infrastructure is *not* yet in place. Nobody has uploaded SSH keys to PyPI, and in order to allow SSH access, we probably would need to create a Unix account, which then runs a fixed (Python) program on ssh login. That is much less secure than the current setup, in the sense that this program can probably tricked much easier than Apache can. So it opens a door for people hacking into the system; all they have to do is to create a fake PyPI account and upload an SSH key... To improve password storage, I think it would be better to use the platform's secure password storage services where available (e.g. OSX Keychain, KDE KWallet, etc). Of course, such a library should be developed independently of distutils. For Keychain, there is already http://muffinresearch.co.uk/archives/2008/02/05/python-keychainpy-access-to-the-mac-osx-keychain/ Regards, Martin _______________________________________________ Distutils-SIG maillist - [email protected] http://mail.python.org/mailman/listinfo/distutils-sig
